1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation
6 * files (the "Software"), to deal in the Software without
7 * restriction, including without limitation the rights to use, copy,
8 * modify, merge, publish, distribute, sublicense, and/or sell copies
9 * of the Software, and to permit persons to whom the Software is
10 * furnished to do so, subject to the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include <stdio.h>
26 #include <string.h>
27
28 #include <base/files/file_util.h>
29 #include <gtest/gtest.h>
30 #include <openssl/objects.h>
31 #include <openssl/pem.h>
32 #include <openssl/rsa.h>
33 #include <openssl/sha.h>
34
35 #include <libavb_atx/libavb_atx.h>
36
37 #include "avb_unittest_util.h"
38 #include "fake_avb_ops.h"
39
40 namespace {
41
42 const char kMetadataPath[] = "test/data/atx_metadata.bin";
43 const char kPermanentAttributesPath[] =
44 "test/data/atx_permanent_attributes.bin";
45 const char kPRKPrivateKeyPath[] = "test/data/testkey_atx_prk.pem";
46 const char kPIKPrivateKeyPath[] = "test/data/testkey_atx_pik.pem";
47
48 class ScopedRSA {
49 public:
ScopedRSA(const char * pem_key_path)50 ScopedRSA(const char* pem_key_path) {
51 FILE* file = fopen(pem_key_path, "r");
52 rsa_ = PEM_read_RSAPrivateKey(file, nullptr, nullptr, nullptr);
53 fclose(file);
54 }
55
~ScopedRSA()56 ~ScopedRSA() {
57 if (rsa_) {
58 RSA_free(rsa_);
59 }
60 }
61
62 // PKCS #1 v1.5 signature using SHA512. Returns true on success.
Sign(const void * data_to_sign,size_t length,uint8_t signature[])63 bool Sign(const void* data_to_sign, size_t length, uint8_t signature[]) {
64 uint8_t digest[AVB_SHA512_DIGEST_SIZE];
65 const unsigned char* data_to_sign_buf =
66 reinterpret_cast<const unsigned char*>(data_to_sign);
67 SHA512(data_to_sign_buf, length, digest);
68 unsigned int signature_length = 0;
69 return (1 == RSA_sign(NID_sha512,
70 digest,
71 AVB_SHA512_DIGEST_SIZE,
72 signature,
73 &signature_length,
74 rsa_));
75 }
76
77 private:
78 RSA* rsa_;
79 };
80
81 } /* namespace */
82
83 namespace avb {
84
85 class AvbAtxValidateTest : public ::testing::Test,
86 public FakeAvbOpsDelegateWithDefaults {
87 public:
~AvbAtxValidateTest()88 ~AvbAtxValidateTest() override {}
89
SetUp()90 void SetUp() override {
91 ReadDefaultData();
92 ops_.set_delegate(this);
93 ops_.set_permanent_attributes(attributes_);
94 ops_.set_stored_rollback_indexes(
95 {{AVB_ATX_PIK_VERSION_LOCATION, 0}, {AVB_ATX_PSK_VERSION_LOCATION, 0}});
96 }
97
98 // FakeAvbOpsDelegate methods.
read_from_partition(const char * partition,int64_t offset,size_t num_bytes,void * buffer,size_t * out_num_read)99 AvbIOResult read_from_partition(const char* partition,
100 int64_t offset,
101 size_t num_bytes,
102 void* buffer,
103 size_t* out_num_read) override {
104 // Expect method not used.
105 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
106 }
107
get_preloaded_partition(const char * partition,size_t num_bytes,uint8_t ** out_pointer,size_t * out_num_bytes_preloaded)108 AvbIOResult get_preloaded_partition(
109 const char* partition,
110 size_t num_bytes,
111 uint8_t** out_pointer,
112 size_t* out_num_bytes_preloaded) override {
113 // Expect method not used.
114 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
115 }
116
write_to_partition(const char * partition,int64_t offset,size_t num_bytes,const void * buffer)117 AvbIOResult write_to_partition(const char* partition,
118 int64_t offset,
119 size_t num_bytes,
120 const void* buffer) override {
121 // Expect method not used.
122 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
123 }
124
validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_key_is_trusted)125 AvbIOResult validate_vbmeta_public_key(AvbOps* ops,
126 const uint8_t* public_key_data,
127 size_t public_key_length,
128 const uint8_t* public_key_metadata,
129 size_t public_key_metadata_length,
130 bool* out_key_is_trusted) override {
131 // Expect method not used.
132 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
133 }
134
read_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t * out_rollback_index)135 AvbIOResult read_rollback_index(AvbOps* ops,
136 size_t rollback_index_slot,
137 uint64_t* out_rollback_index) override {
138 if ((fail_read_pik_rollback_index_ &&
139 rollback_index_slot == AVB_ATX_PIK_VERSION_LOCATION) ||
140 (fail_read_psk_rollback_index_ &&
141 rollback_index_slot == AVB_ATX_PSK_VERSION_LOCATION)) {
142 return AVB_IO_RESULT_ERROR_IO;
143 }
144 return ops_.read_rollback_index(
145 ops, rollback_index_slot, out_rollback_index);
146 }
147
write_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t rollback_index)148 AvbIOResult write_rollback_index(AvbOps* ops,
149 size_t rollback_index_slot,
150 uint64_t rollback_index) override {
151 // Expect method not used.
152 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
153 }
154
read_is_device_unlocked(AvbOps * ops,bool * out_is_device_unlocked)155 AvbIOResult read_is_device_unlocked(AvbOps* ops,
156 bool* out_is_device_unlocked) override {
157 // Expect method not used.
158 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
159 }
160
get_unique_guid_for_partition(AvbOps * ops,const char * partition,char * guid_buf,size_t guid_buf_size)161 AvbIOResult get_unique_guid_for_partition(AvbOps* ops,
162 const char* partition,
163 char* guid_buf,
164 size_t guid_buf_size) override {
165 // Expect method not used.
166 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
167 }
168
get_size_of_partition(AvbOps * ops,const char * partition,uint64_t * out_size)169 AvbIOResult get_size_of_partition(AvbOps* ops,
170 const char* partition,
171 uint64_t* out_size) override {
172 // Expect method not used.
173 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
174 }
175
read_persistent_value(const char * name,size_t buffer_size,uint8_t * out_buffer,size_t * out_num_bytes_read)176 AvbIOResult read_persistent_value(const char* name,
177 size_t buffer_size,
178 uint8_t* out_buffer,
179 size_t* out_num_bytes_read) override {
180 // Expect method not used.
181 return AVB_IO_RESULT_ERROR_NO_SUCH_VALUE;
182 }
183
write_persistent_value(const char * name,size_t value_size,const uint8_t * value)184 AvbIOResult write_persistent_value(const char* name,
185 size_t value_size,
186 const uint8_t* value) override {
187 // Expect method not used.
188 return AVB_IO_RESULT_ERROR_NO_SUCH_VALUE;
189 }
190
read_permanent_attributes(AvbAtxPermanentAttributes * attributes)191 AvbIOResult read_permanent_attributes(
192 AvbAtxPermanentAttributes* attributes) override {
193 if (fail_read_permanent_attributes_) {
194 return AVB_IO_RESULT_ERROR_IO;
195 }
196 return ops_.read_permanent_attributes(attributes);
197 }
198
read_permanent_attributes_hash(uint8_t hash[AVB_SHA256_DIGEST_SIZE])199 AvbIOResult read_permanent_attributes_hash(
200 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) override {
201 if (fail_read_permanent_attributes_hash_) {
202 return AVB_IO_RESULT_ERROR_IO;
203 }
204 return ops_.read_permanent_attributes_hash(hash);
205 }
206
207 protected:
Validate(bool * is_trusted)208 virtual AvbIOResult Validate(bool* is_trusted) {
209 return avb_atx_validate_vbmeta_public_key(
210 ops_.avb_ops(),
211 metadata_.product_signing_key_certificate.signed_data.public_key,
212 AVB_ATX_PUBLIC_KEY_SIZE,
213 reinterpret_cast<const uint8_t*>(&metadata_),
214 sizeof(metadata_),
215 is_trusted);
216 }
217
SignPIKCertificate()218 void SignPIKCertificate() {
219 memset(metadata_.product_intermediate_key_certificate.signature,
220 0,
221 AVB_RSA4096_NUM_BYTES);
222 ScopedRSA key(kPRKPrivateKeyPath);
223 ASSERT_TRUE(
224 key.Sign(&metadata_.product_intermediate_key_certificate.signed_data,
225 sizeof(AvbAtxCertificateSignedData),
226 metadata_.product_intermediate_key_certificate.signature));
227 }
228
SignPSKCertificate()229 void SignPSKCertificate() {
230 memset(metadata_.product_signing_key_certificate.signature,
231 0,
232 AVB_RSA4096_NUM_BYTES);
233 ScopedRSA key(kPIKPrivateKeyPath);
234 ASSERT_TRUE(key.Sign(&metadata_.product_signing_key_certificate.signed_data,
235 sizeof(AvbAtxCertificateSignedData),
236 metadata_.product_signing_key_certificate.signature));
237 }
238
239 AvbAtxPermanentAttributes attributes_;
240 AvbAtxPublicKeyMetadata metadata_;
241 bool fail_read_permanent_attributes_{false};
242 bool fail_read_permanent_attributes_hash_{false};
243 bool fail_read_pik_rollback_index_{false};
244 bool fail_read_psk_rollback_index_{false};
245
246 private:
ReadDefaultData()247 void ReadDefaultData() {
248 std::string tmp;
249 ASSERT_TRUE(base::ReadFileToString(base::FilePath(kMetadataPath), &tmp));
250 ASSERT_EQ(tmp.size(), sizeof(AvbAtxPublicKeyMetadata));
251 memcpy(&metadata_, tmp.data(), tmp.size());
252 ASSERT_TRUE(
253 base::ReadFileToString(base::FilePath(kPermanentAttributesPath), &tmp));
254 ASSERT_EQ(tmp.size(), sizeof(AvbAtxPermanentAttributes));
255 memcpy(&attributes_, tmp.data(), tmp.size());
256 }
257 };
258
TEST_F(AvbAtxValidateTest,Success)259 TEST_F(AvbAtxValidateTest, Success) {
260 bool is_trusted = false;
261 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
262 EXPECT_TRUE(is_trusted);
263
264 // Check that the key versions were reported correctly.
265 EXPECT_EQ(
266 ops_.get_verified_rollback_indexes()[AVB_ATX_PIK_VERSION_LOCATION],
267 metadata_.product_intermediate_key_certificate.signed_data.key_version);
268 EXPECT_EQ(ops_.get_verified_rollback_indexes()[AVB_ATX_PSK_VERSION_LOCATION],
269 metadata_.product_signing_key_certificate.signed_data.key_version);
270 EXPECT_EQ(2UL, ops_.get_verified_rollback_indexes().size());
271 }
272
TEST_F(AvbAtxValidateTest,SuccessAfterNewSign)273 TEST_F(AvbAtxValidateTest, SuccessAfterNewSign) {
274 std::string old_pik_sig(
275 reinterpret_cast<char*>(
276 metadata_.product_intermediate_key_certificate.signature),
277 AVB_RSA4096_NUM_BYTES);
278 std::string old_psk_sig(
279 reinterpret_cast<char*>(
280 metadata_.product_signing_key_certificate.signature),
281 AVB_RSA4096_NUM_BYTES);
282 SignPIKCertificate();
283 SignPSKCertificate();
284 std::string new_pik_sig(
285 reinterpret_cast<char*>(
286 metadata_.product_intermediate_key_certificate.signature),
287 AVB_RSA4096_NUM_BYTES);
288 std::string new_psk_sig(
289 reinterpret_cast<char*>(
290 metadata_.product_signing_key_certificate.signature),
291 AVB_RSA4096_NUM_BYTES);
292 EXPECT_EQ(old_pik_sig, new_pik_sig);
293 EXPECT_EQ(old_psk_sig, new_psk_sig);
294 bool is_trusted = false;
295 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
296 EXPECT_TRUE(is_trusted);
297 }
298
TEST_F(AvbAtxValidateTest,FailReadPermamentAttributes)299 TEST_F(AvbAtxValidateTest, FailReadPermamentAttributes) {
300 fail_read_permanent_attributes_ = true;
301 bool is_trusted = true;
302 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
303 EXPECT_FALSE(is_trusted);
304 }
305
TEST_F(AvbAtxValidateTest,FailReadPermamentAttributesHash)306 TEST_F(AvbAtxValidateTest, FailReadPermamentAttributesHash) {
307 fail_read_permanent_attributes_hash_ = true;
308 bool is_trusted = true;
309 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
310 EXPECT_FALSE(is_trusted);
311 }
312
TEST_F(AvbAtxValidateTest,UnsupportedPermanentAttributesVersion)313 TEST_F(AvbAtxValidateTest, UnsupportedPermanentAttributesVersion) {
314 attributes_.version = 25;
315 ops_.set_permanent_attributes(attributes_);
316 bool is_trusted = true;
317 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
318 EXPECT_FALSE(is_trusted);
319 }
320
TEST_F(AvbAtxValidateTest,PermanentAttributesHashMismatch)321 TEST_F(AvbAtxValidateTest, PermanentAttributesHashMismatch) {
322 ops_.set_permanent_attributes_hash("bad_hash");
323 bool is_trusted = true;
324 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
325 EXPECT_FALSE(is_trusted);
326 }
327
328 // A fixture with parameterized metadata length.
329 class AvbAtxValidateTestWithMetadataLength
330 : public AvbAtxValidateTest,
331 public ::testing::WithParamInterface<size_t> {
332 protected:
Validate(bool * is_trusted)333 AvbIOResult Validate(bool* is_trusted) override {
334 return avb_atx_validate_vbmeta_public_key(
335 ops_.avb_ops(),
336 metadata_.product_signing_key_certificate.signed_data.public_key,
337 AVB_ATX_PUBLIC_KEY_SIZE,
338 reinterpret_cast<const uint8_t*>(&metadata_),
339 GetParam(),
340 is_trusted);
341 }
342 };
343
TEST_P(AvbAtxValidateTestWithMetadataLength,InvalidMetadataLength)344 TEST_P(AvbAtxValidateTestWithMetadataLength, InvalidMetadataLength) {
345 bool is_trusted = true;
346 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
347 EXPECT_FALSE(is_trusted);
348 }
349
350 // Test a bunch of invalid metadata length values.
351 INSTANTIATE_TEST_CASE_P(P,
352 AvbAtxValidateTestWithMetadataLength,
353 ::testing::Values(0,
354 1,
355 sizeof(AvbAtxPublicKeyMetadata) - 1,
356 sizeof(AvbAtxPublicKeyMetadata) + 1,
357 -1));
358
TEST_F(AvbAtxValidateTest,UnsupportedMetadataVersion)359 TEST_F(AvbAtxValidateTest, UnsupportedMetadataVersion) {
360 metadata_.version = 25;
361 bool is_trusted = true;
362 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
363 EXPECT_FALSE(is_trusted);
364 }
365
TEST_F(AvbAtxValidateTest,FailReadPIKRollbackIndex)366 TEST_F(AvbAtxValidateTest, FailReadPIKRollbackIndex) {
367 fail_read_pik_rollback_index_ = true;
368 bool is_trusted = true;
369 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
370 EXPECT_FALSE(is_trusted);
371 }
372
TEST_F(AvbAtxValidateTest,UnsupportedPIKCertificateVersion)373 TEST_F(AvbAtxValidateTest, UnsupportedPIKCertificateVersion) {
374 metadata_.product_intermediate_key_certificate.signed_data.version = 25;
375 SignPIKCertificate();
376 bool is_trusted = true;
377 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
378 EXPECT_FALSE(is_trusted);
379 }
380
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedSubjectPublicKey)381 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedSubjectPublicKey) {
382 metadata_.product_intermediate_key_certificate.signed_data.public_key[0] ^= 1;
383 bool is_trusted = true;
384 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
385 EXPECT_FALSE(is_trusted);
386 }
387
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedSubject)388 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedSubject) {
389 metadata_.product_intermediate_key_certificate.signed_data.subject[0] ^= 1;
390 bool is_trusted = true;
391 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
392 EXPECT_FALSE(is_trusted);
393 }
394
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedUsage)395 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedUsage) {
396 metadata_.product_intermediate_key_certificate.signed_data.usage[0] ^= 1;
397 bool is_trusted = true;
398 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
399 EXPECT_FALSE(is_trusted);
400 }
401
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedKeyVersion)402 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedKeyVersion) {
403 metadata_.product_intermediate_key_certificate.signed_data.key_version ^= 1;
404 bool is_trusted = true;
405 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
406 EXPECT_FALSE(is_trusted);
407 }
408
TEST_F(AvbAtxValidateTest,BadPIKCert_BadSignature)409 TEST_F(AvbAtxValidateTest, BadPIKCert_BadSignature) {
410 metadata_.product_intermediate_key_certificate.signature[0] ^= 1;
411 bool is_trusted = true;
412 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
413 EXPECT_FALSE(is_trusted);
414 }
415
TEST_F(AvbAtxValidateTest,PIKCertSubjectIgnored)416 TEST_F(AvbAtxValidateTest, PIKCertSubjectIgnored) {
417 metadata_.product_intermediate_key_certificate.signed_data.subject[0] ^= 1;
418 SignPIKCertificate();
419 bool is_trusted = false;
420 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
421 EXPECT_TRUE(is_trusted);
422 }
423
TEST_F(AvbAtxValidateTest,PIKCertUnexpectedUsage)424 TEST_F(AvbAtxValidateTest, PIKCertUnexpectedUsage) {
425 metadata_.product_intermediate_key_certificate.signed_data.usage[0] ^= 1;
426 SignPIKCertificate();
427 bool is_trusted = true;
428 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
429 EXPECT_FALSE(is_trusted);
430 }
431
TEST_F(AvbAtxValidateTest,PIKRollback)432 TEST_F(AvbAtxValidateTest, PIKRollback) {
433 ops_.set_stored_rollback_indexes(
434 {{AVB_ATX_PIK_VERSION_LOCATION,
435 metadata_.product_intermediate_key_certificate.signed_data.key_version +
436 1},
437 {AVB_ATX_PSK_VERSION_LOCATION, 0}});
438 bool is_trusted = true;
439 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
440 EXPECT_FALSE(is_trusted);
441 }
442
TEST_F(AvbAtxValidateTest,FailReadPSKRollbackIndex)443 TEST_F(AvbAtxValidateTest, FailReadPSKRollbackIndex) {
444 fail_read_psk_rollback_index_ = true;
445 bool is_trusted = true;
446 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
447 EXPECT_FALSE(is_trusted);
448 }
449
TEST_F(AvbAtxValidateTest,UnsupportedPSKCertificateVersion)450 TEST_F(AvbAtxValidateTest, UnsupportedPSKCertificateVersion) {
451 metadata_.product_signing_key_certificate.signed_data.version = 25;
452 SignPSKCertificate();
453 bool is_trusted = true;
454 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
455 EXPECT_FALSE(is_trusted);
456 }
457
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedSubjectPublicKey)458 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedSubjectPublicKey) {
459 metadata_.product_signing_key_certificate.signed_data.public_key[0] ^= 1;
460 bool is_trusted = true;
461 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
462 EXPECT_FALSE(is_trusted);
463 }
464
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedSubject)465 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedSubject) {
466 metadata_.product_signing_key_certificate.signed_data.subject[0] ^= 1;
467 bool is_trusted = true;
468 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
469 EXPECT_FALSE(is_trusted);
470 }
471
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedUsage)472 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedUsage) {
473 metadata_.product_signing_key_certificate.signed_data.usage[0] ^= 1;
474 bool is_trusted = true;
475 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
476 EXPECT_FALSE(is_trusted);
477 }
478
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedKeyVersion)479 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedKeyVersion) {
480 metadata_.product_signing_key_certificate.signed_data.key_version ^= 1;
481 bool is_trusted = true;
482 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
483 EXPECT_FALSE(is_trusted);
484 }
485
TEST_F(AvbAtxValidateTest,BadPSKCert_BadSignature)486 TEST_F(AvbAtxValidateTest, BadPSKCert_BadSignature) {
487 metadata_.product_signing_key_certificate.signature[0] ^= 1;
488 bool is_trusted = true;
489 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
490 EXPECT_FALSE(is_trusted);
491 }
492
TEST_F(AvbAtxValidateTest,PSKCertUnexpectedSubject)493 TEST_F(AvbAtxValidateTest, PSKCertUnexpectedSubject) {
494 metadata_.product_signing_key_certificate.signed_data.subject[0] ^= 1;
495 SignPSKCertificate();
496 bool is_trusted = true;
497 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
498 EXPECT_FALSE(is_trusted);
499 }
500
TEST_F(AvbAtxValidateTest,PSKCertUnexpectedUsage)501 TEST_F(AvbAtxValidateTest, PSKCertUnexpectedUsage) {
502 metadata_.product_signing_key_certificate.signed_data.usage[0] ^= 1;
503 SignPSKCertificate();
504 bool is_trusted = true;
505 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
506 EXPECT_FALSE(is_trusted);
507 }
508
TEST_F(AvbAtxValidateTest,PSKRollback)509 TEST_F(AvbAtxValidateTest, PSKRollback) {
510 ops_.set_stored_rollback_indexes(
511 {{AVB_ATX_PIK_VERSION_LOCATION, 0},
512 {AVB_ATX_PSK_VERSION_LOCATION,
513 metadata_.product_signing_key_certificate.signed_data.key_version +
514 1}});
515 bool is_trusted = true;
516 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
517 EXPECT_FALSE(is_trusted);
518 }
519
520 // A fixture with parameterized public key length.
521 class AvbAtxValidateTestWithPublicKeyLength
522 : public AvbAtxValidateTest,
523 public ::testing::WithParamInterface<size_t> {
524 protected:
Validate(bool * is_trusted)525 AvbIOResult Validate(bool* is_trusted) override {
526 return avb_atx_validate_vbmeta_public_key(
527 ops_.avb_ops(),
528 metadata_.product_signing_key_certificate.signed_data.public_key,
529 GetParam(),
530 reinterpret_cast<const uint8_t*>(&metadata_),
531 sizeof(metadata_),
532 is_trusted);
533 }
534 };
535
TEST_P(AvbAtxValidateTestWithPublicKeyLength,InvalidPublicKeyLength)536 TEST_P(AvbAtxValidateTestWithPublicKeyLength, InvalidPublicKeyLength) {
537 bool is_trusted = true;
538 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
539 EXPECT_FALSE(is_trusted);
540 }
541
542 // Test a bunch of invalid public key length values.
543 INSTANTIATE_TEST_CASE_P(P,
544 AvbAtxValidateTestWithPublicKeyLength,
545 ::testing::Values(0,
546 1,
547 AVB_ATX_PUBLIC_KEY_SIZE - 1,
548 AVB_ATX_PUBLIC_KEY_SIZE + 1,
549 AVB_ATX_PUBLIC_KEY_SIZE - 512,
550 -1));
551
TEST_F(AvbAtxValidateTest,PSKMismatch)552 TEST_F(AvbAtxValidateTest, PSKMismatch) {
553 uint8_t bad_key[AVB_ATX_PUBLIC_KEY_SIZE] = {};
554 bool is_trusted = true;
555 EXPECT_EQ(AVB_IO_RESULT_OK,
556 avb_atx_validate_vbmeta_public_key(
557 ops_.avb_ops(),
558 bad_key,
559 AVB_ATX_PUBLIC_KEY_SIZE,
560 reinterpret_cast<const uint8_t*>(&metadata_),
561 sizeof(metadata_),
562 &is_trusted));
563 EXPECT_FALSE(is_trusted);
564 }
565
566 // A fixture for testing avb_slot_verify() with ATX.
567 class AvbAtxSlotVerifyTest : public BaseAvbToolTest,
568 public FakeAvbOpsDelegateWithDefaults {
569 public:
570 ~AvbAtxSlotVerifyTest() override = default;
571
SetUp()572 void SetUp() override {
573 BaseAvbToolTest::SetUp();
574 ReadAtxDefaultData();
575 ops_.set_partition_dir(testdir_);
576 ops_.set_delegate(this);
577 ops_.set_permanent_attributes(attributes_);
578 ops_.set_stored_rollback_indexes({{0, 0},
579 {1, 0},
580 {2, 0},
581 {3, 0},
582 {AVB_ATX_PIK_VERSION_LOCATION, 0},
583 {AVB_ATX_PSK_VERSION_LOCATION, 0}});
584 ops_.set_stored_is_device_unlocked(false);
585 }
586
587 // FakeAvbOpsDelegate override.
validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_key_is_trusted)588 AvbIOResult validate_vbmeta_public_key(AvbOps* ops,
589 const uint8_t* public_key_data,
590 size_t public_key_length,
591 const uint8_t* public_key_metadata,
592 size_t public_key_metadata_length,
593 bool* out_key_is_trusted) override {
594 // Send to ATX implementation.
595 ++num_atx_calls_;
596 return avb_atx_validate_vbmeta_public_key(ops_.avb_ops(),
597 public_key_data,
598 public_key_length,
599 public_key_metadata,
600 public_key_metadata_length,
601 out_key_is_trusted);
602 }
603
604 protected:
605 AvbAtxPermanentAttributes attributes_;
606 int num_atx_calls_ = 0;
607
608 private:
ReadAtxDefaultData()609 void ReadAtxDefaultData() {
610 std::string tmp;
611 ASSERT_TRUE(
612 base::ReadFileToString(base::FilePath(kPermanentAttributesPath), &tmp));
613 ASSERT_EQ(tmp.size(), sizeof(AvbAtxPermanentAttributes));
614 memcpy(&attributes_, tmp.data(), tmp.size());
615 }
616 };
617
TEST_F(AvbAtxSlotVerifyTest,SlotVerifyWithAtx)618 TEST_F(AvbAtxSlotVerifyTest, SlotVerifyWithAtx) {
619 std::string metadata_option = "--public_key_metadata=";
620 metadata_option += kMetadataPath;
621 GenerateVBMetaImage("vbmeta_a.img",
622 "SHA512_RSA4096",
623 0,
624 base::FilePath("test/data/testkey_atx_psk.pem"),
625 metadata_option);
626
627 ops_.set_expected_public_key(
628 PublicKeyAVB(base::FilePath("test/data/testkey_atx_psk.pem")));
629
630 AvbSlotVerifyData* slot_data = NULL;
631 const char* requested_partitions[] = {"boot", NULL};
632 EXPECT_EQ(AVB_SLOT_VERIFY_RESULT_OK,
633 avb_slot_verify(ops_.avb_ops(),
634 requested_partitions,
635 "_a",
636 AVB_SLOT_VERIFY_FLAGS_NONE,
637 AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
638 &slot_data));
639 EXPECT_NE(nullptr, slot_data);
640 avb_slot_verify_data_free(slot_data);
641 EXPECT_EQ(1, num_atx_calls_);
642 }
643
644 } // namespace avb
645